CVE-2026-25566 – This CVE describes an authorization vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-25566?

CVE-2026-25566 has a CVSS score of 5.4 (MEDIUM). This CVE describes an authorization vulnerability in WeKan's card movement functionality. Users can move cards to boards, lists, or swimlanes without proper authorization checks for the destination, potentially enabling unauthorized cross-board moves. This affects all WeKan instances running versions prior to 8.19.

📋 TL;DR

This CVE describes an authorization vulnerability in WeKan's card movement functionality. Users can move cards to boards, lists, or swimlanes without proper authorization checks for the destination, potentially enabling unauthorized cross-board moves. This affects all WeKan instances running versions prior to 8.19.

💻 Affected Systems

Products:

WeKan

Versions: All versions prior to 8.19

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WeKan deployments with multiple boards and user accounts are affected. Single-user instances are less impacted but still vulnerable.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated user could move sensitive cards containing confidential information to boards they control, potentially exposing private data or disrupting board organization across the entire WeKan instance.

🟠

Likely Case

Users moving cards between boards they shouldn't have access to, leading to data leakage, organizational disruption, or privilege escalation within the Kanban system.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor organizational issues within boards where users already have some access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in the card move logic itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.19 and later

Vendor Advisory: https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e

Restart Required: Yes

Instructions:

1. Backup your WeKan instance. 2. Update to WeKan version 8.19 or later using your deployment method (Docker, Snap, etc.). 3. Restart the WeKan service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict board permissions

all

Tighten board permissions to limit which users can move cards between boards

Monitor card movement logs

all

Implement enhanced logging and monitoring for card movement events

🧯 If You Can't Patch

Implement strict board access controls and review all board permissions
Enable detailed audit logging for all card movement operations and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WeKan version. If version is below 8.19, the system is vulnerable.

Check Version:

Check WeKan admin panel or run: docker exec wekan-app cat /app/package.json | grep version

Verify Fix Applied:

After updating, verify version is 8.19 or higher and test card movement between boards with different permission levels.

📡 Detection & Monitoring

Log Indicators:

Unusual card movement patterns between boards with different permission levels
Cards appearing in boards where user lacks proper permissions

Network Indicators:

API calls to move cards with destination parameters pointing to unauthorized boards

SIEM Query:

source="wekan" AND (event="card-moved" OR event="card-updated") AND dest_board_id != src_board_id

📊 Metadata

CVE ID: CVE-2026-25566

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-863

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: February 7, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e Patch
https://wekan.fi/ Product
https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25566, you might also want to check these: